About privileges - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

Privileges define what users can do, such as arming zones, blocking cameras, and unlocking doors, over the part of the system they have access rights to.

User privileges in Security Center are divided into the following groups:
Application privileges
Grant access to the Security Center applications.
General privileges
Grant access to the generic Security Center features.
Administrative privileges
Grant access to entity configuration in Config Tool.
Task privileges
Control accessibility to the various Security Center tasks.
Action privileges
Control the actions that can be performed on the system entities.

For a list of available privileges, see the Security Center 5.12 Privileges.

You can also refer to the Privileges page of a user or user group in the Config Tool User management task.

Privilege hierarchy

Privileges are organized in a hierarchy, with the following behavior:
  • For a child privilege to be allowed, the parent privilege must be allowed.
  • If a parent privilege is denied, all child privileges are denied.
  • A child privilege can be denied when the parent privilege is allowed.

Privilege inheritance

Privilege settings can be inherited from user groups and replaced at the member (user or user group) level according to the following rules:
  • A privilege that is undefined at the group level can be allowed or denied at the member level.
  • A privilege that is allowed at the group level can be denied at the member level.
  • A privilege that is denied at the group level is automatically denied at the member level.
  • When a user is a member of multiple user groups, the user inherits the most restrictive privilege settings from its parents. This means that Deny overrules Allow, and Allow overrules Undefined.

Exceptions to privilege rules

The following exceptions apply to the privilege rules:
Administrative users
Members of the Administrators user group (which include the Admin user) have full administrative rights over the system. They can configure Security Center as they see fit. The Admin user and the Administrators user group are created at system installation. They have all the privileges and cannot be modified nor deleted.
Actions reserved for administrative users
There are actions that only administrative users can perform because they can potentially affect the entire system. These actions are not associated to any privilege.
  • Adding, modifying, and deleting macros.
  • Creating generic event-to-actions (without a specific source entity).
  • Running the Diagnostic data collector.

Privilege exceptions for partitions

A user (or user group) has a set of basic privileges that is the result of the privileges inherited from their parent user groups, plus the ones explicitly allowed or denied to the user.

When a user is given access to a partition, their basic privileges are applied by default to the partition. As a system administrator, you can overwrite the privileges a user has over a specific partition. For example, a user can be allowed to configure alarms in partition A, but not in partition B. This means that a user can have a different set of privileges for each partition they have access to. Only Administrative and Action privileges, plus the privileges over public tasks, can be overwritten at the partition level.

The Manage partition memberships option

To allow a user to move entities from one partition to another to which they have access, you must grant them the associated Add/Delete <entities> pair of privileges for each entity type you allow them to move between partitions. If you do not want users to add and delete entities, but allow them to move entities between partitions to which they have access, you can enable the Manage partition memberships option from the user's Advanced configuration page.
NOTE: The Manage partition memberships option is treated as a privilege in the Security Center SDK. You can enable or disable this option by granting or revoking the SdkPrivilege.ManagePartitionMemberships privilege using the SetPrivilegeState() method.